Naughty Plugins Caught And Removed From Repository

Siobhan McKeown has published a disturbing yet not out of the ordinary article that explains how a couple of plugins were recently added to the plugin repository that were using a version of J-Query from J-Query.org which after investigation proved to be a fake website. The purported J-Query file was actually propagating sites with CPA Infinity Affiliate Links. After the article was published, Otto responded in the comments to make note that the plugins were removed and the user who uploaded them has been banned. This is yet another reminder that the WordPress plugin repository is a powerful place to do naughty business for those that can get past a couple pair of eyeballs and not get noticed right away.

For the future, Otto recommends doing the following if you spot something malicious within a plugin on the repository:

Obviously malicious code doesn’t last long before somebody spots it (this one only lasted a week before somebody noticed, and it would have been removed that same day if anybody had reported it to us at plugins@wordpress.org), but unintended security holes can become widely propagated for a longer period of time, leading to issues when hackers find and exploit them. So they are of a somewhat higher priority to find.

Apparently, reporting offending plugins to that email address gets swifter action than anything else. Although not related specifically to this story, I think it’s good to be reminded of June 21, 2011 when a number of suspicious commits were made to popular plugins after hackers gained access to the plugin repository. Thankfully, those commits were caught in a short period of time but there is no guarantee that they would catch them in time again.

Like this:

Related

2 Comments

And how do plugin developers get their plugins back into the repository if they’ve been pulled due to a security bug but later fixed?

AdRotate was pulled, fixed but the developer has been having a hell of a time getting it back in the repository.

I don’t know the guy, I use his plugin and it’s a shame Arnan has run into a dead-end. His dealings with WordPress.org remind me of how it is to deal with Google. I must admit that me myself when I’ve had an issue with something like the Intense Debate plugin I got an email from Matt himself apologizing. Personal reply or boilerplate letter it doesn’t matter as it was still a quick response and I’m grateful for WordPress.org for being responsive.

You can read about Arnan trying to get back into the plugin directory here:

@Baron – When a plugin is pulled for a security exploit, like AdRotate was, there is a specific sequence of events that is supposed to take place.
1. The plugin is de-listed from the repository, to prevent further downloads of an insecure plugin.
2. If the exploit is accidental or not obviously malicious, the developer is notified via email. The email comes from a valid address (plugins at wporg) and can be replied to.
3. The plugin developer presumably fixes the exploit or tells us that it is an invalid exploit, updates the plugin in SVN, and emails back saying so.
4. We check it out, and either provide advice or re-enable the plugin.

Now, it seems that the developers of that plugin aren’t really paying too much attention to their emails. They were emailed, at their email address attached to the username in WordPress.org, which owns their plugin. They either did not receive the email or chose to not respond to it.

There is no reasonable case in which somebody would need to post to the forums, as they claim, in order to figure out who to reply to. They were emailed when the plugin was closed. If they didn’t get it, then maybe they should update the email address on their WordPress.org user account to a valid email address to ensure they stay informed.

Also note that this is not the first time they’ve been through this dance; they have had security issues before and they should have figured it out by now.